mirror of
https://codeberg.org/streams/streams.git
synced 2024-09-20 01:15:13 +00:00
Merge branch 'dev' of ../rebble.net into dev
This commit is contained in:
commit
be9bb9f04d
3 changed files with 16 additions and 62 deletions
|
@ -703,5 +703,15 @@ class Account {
|
|||
return $r;
|
||||
}
|
||||
|
||||
static public function from_id($n) {
|
||||
if (! intval($n)) {
|
||||
return false;
|
||||
}
|
||||
$r = q(
|
||||
"select * from account where account_id = %d limit 1",
|
||||
intval($n)
|
||||
);
|
||||
return ($r) ? array_shift($r) : false;
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -183,56 +183,4 @@ class Session
|
|||
$arr = array('expire' => $xtime);
|
||||
Hook::call('extend_cookie', $arr);
|
||||
}
|
||||
|
||||
|
||||
public function return_check()
|
||||
{
|
||||
|
||||
// check a returning visitor against IP changes.
|
||||
// If the change results in being blocked from re-entry with the current cookie
|
||||
// nuke the session and logout.
|
||||
// Returning at all indicates the session is still valid.
|
||||
|
||||
// first check if we're enforcing that sessions can't change IP address
|
||||
// @todo what to do with IPv6 addresses
|
||||
|
||||
if ($_SESSION['addr'] && $_SESSION['addr'] != $_SERVER['REMOTE_ADDR']) {
|
||||
logger('SECURITY: Session IP address changed: ' . $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']);
|
||||
|
||||
$partial1 = substr($_SESSION['addr'], 0, strrpos($_SESSION['addr'], '.'));
|
||||
$partial2 = substr($_SERVER['REMOTE_ADDR'], 0, strrpos($_SERVER['REMOTE_ADDR'], '.'));
|
||||
|
||||
$paranoia = intval(get_pconfig($_SESSION['uid'], 'system', 'paranoia'));
|
||||
|
||||
if (! $paranoia) {
|
||||
$paranoia = intval(get_config('system', 'paranoia'));
|
||||
}
|
||||
|
||||
switch ($paranoia) {
|
||||
case 0:
|
||||
// no IP checking
|
||||
break;
|
||||
case 2:
|
||||
// check 2 octets
|
||||
$partial1 = substr($partial1, 0, strrpos($partial1, '.'));
|
||||
$partial2 = substr($partial2, 0, strrpos($partial2, '.'));
|
||||
if ($partial1 == $partial2) {
|
||||
break;
|
||||
}
|
||||
case 1:
|
||||
// check 3 octets
|
||||
if ($partial1 == $partial2) {
|
||||
break;
|
||||
}
|
||||
case 3:
|
||||
default:
|
||||
// check any difference at all
|
||||
logger('Session address changed. Paranoid setting in effect, blocking session. ' . $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']);
|
||||
$this->nuke();
|
||||
goaway(z_root());
|
||||
break;
|
||||
}
|
||||
}
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -10,8 +10,9 @@
|
|||
* Also provides a function for OpenID identiy matching.
|
||||
*/
|
||||
|
||||
use Code\Lib\Libzot;
|
||||
use Code\Lib\Account;
|
||||
use Code\Lib\Channel;
|
||||
use Code\Lib\Libzot;
|
||||
use Code\Extend\Hook;
|
||||
|
||||
require_once('include/api_auth.php');
|
||||
|
@ -261,15 +262,10 @@ if (
|
|||
// already logged in user returning
|
||||
|
||||
if (x($_SESSION, 'uid') || x($_SESSION, 'account_id')) {
|
||||
App::$session->return_check();
|
||||
|
||||
$r = q(
|
||||
"select * from account where account_id = %d limit 1",
|
||||
intval($_SESSION['account_id'])
|
||||
);
|
||||
|
||||
if (($r) && (($r[0]['account_flags'] == ACCOUNT_OK) || ($r[0]['account_flags'] == ACCOUNT_UNVERIFIED))) {
|
||||
App::$account = $r[0];
|
||||
$r = Account::from_id($_SESSION['account_id']);
|
||||
if (($r) && (($r['account_flags'] == ACCOUNT_OK) || ($r['account_flags'] == ACCOUNT_UNVERIFIED))) {
|
||||
App::$account = $r;
|
||||
$login_refresh = false;
|
||||
if (! x($_SESSION, 'last_login_date')) {
|
||||
$_SESSION['last_login_date'] = datetime_convert('UTC', 'UTC');
|
||||
|
@ -280,7 +276,7 @@ if (
|
|||
$login_refresh = true;
|
||||
}
|
||||
$ch = (($_SESSION['uid']) ? Channel::from_id($_SESSION['uid']) : null);
|
||||
authenticate_success($r[0], false, $ch, false, false, $login_refresh);
|
||||
authenticate_success(App::$account, false, $ch, false, false, $login_refresh);
|
||||
} else {
|
||||
$_SESSION['account_id'] = 0;
|
||||
App::$session->nuke();
|
||||
|
|
Loading…
Reference in a new issue